Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CREATE RULE NAT OVER OPEN VPN SITE TO SITE TUNNEL

    Scheduled Pinned Locked Moved OpenVPN
    14 Posts 4 Posters 1.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      charneval
      last edited by charneval

      Hello, i'm in this situation, i have two places connected with vpn tunnel (OpenVPN site to site) and all run correctly. The place "A" have this network 172.16.8.0/24. The place "B" have this network 172.16.9.0/24. Place A and Place B comunicate by the tunnel 10.0.10.0/24. Connect to the network of the place B there is a NAS with this IP "172.16.9.240" and it respose on the port 8080. If from network A i go to the NAS all work regulary, but i would like to create a NAT rules from any on the place network A to the NAS connect to the place network B by the tunnel VPN.
      I didn't configure the two PFSENSE Firewall to achive this target.

      Thanks.
      Andrea

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @charneval
        last edited by

        @charneval said in CREATE RULE NAT OVER OPEN VPN SITE TO SITE TUNNEL:

        Connect to the network of the place B there is a NAS with this IP "172.16.9.240" and it respose on the port 8080. If from network A i go to the NAS all work regulary, but i would like to create a NAT rules from any on the place network A to the NAS connect to the place network B by the tunnel VPN.

        Can you explain a bit more clearly what you intend and what's not working at this time?

        1 Reply Last reply Reply Quote 0
        • Bob.DigB
          Bob.Dig LAYER 8
          last edited by

          I DON'T THINK IT IS POSSIBLE!

          1 Reply Last reply Reply Quote 0
          • C
            charneval
            last edited by

            Hi.
            The public ip address of the site A is : 92.245.173.212 and I create a nat rule from any to the port 8080 of the nas 172.16.9.240 connected in the site B. This nat doesen’t work.
            I think the problem in the outgoing nat configuration.
            I connected the site B by an openvpn site to site and the pfsense in the site A can’t correct forward the packet.
            How can I configure the outbound nat by the openvpn tunnel.

            Thanks

            Andrea

            V 1 Reply Last reply Reply Quote 0
            • V
              viragomann @charneval
              last edited by

              @charneval said in CREATE RULE NAT OVER OPEN VPN SITE TO SITE TUNNEL:

              The public ip address of the site A is : 92.245.173.212 and I create a nat rule from any to the port 8080 of the nas 172.16.9.240 connected in the site B.

              So at site A you have a port forwarding rule for destination WAN address 8080 to 172.16.9.240 8080, correct?

              If you don't need any information about the origin source address, you can simply masquerade the packets at site A.

              Are both VPN endpoints pfSense and are both the default gateway in their respective local network?

              C 1 Reply Last reply Reply Quote 0
              • C
                charneval @viragomann
                last edited by

                @viragomann said in CREATE RULE NAT OVER OPEN VPN SITE TO SITE TUNNEL:

                If you don't need any information about the origin source address, you can simply masquerade the packets at site A

                Hi.
                For masquerade the packets at site " A " I must do an Hybrid Outbound NAT rule generation right ?
                Do I have to mask all the packets of the wan arriving on the 8080 port towards the network configured in the openvpn?
                Or there is another method ?

                Thanks

                V 1 Reply Last reply Reply Quote 0
                • V
                  viragomann @charneval
                  last edited by viragomann

                  @charneval
                  Yes, switch the Outbound NAT at A into hybrid mode.
                  Then add a rule with at least these parameters:

                  interface: the OpenVPN interface you have asigned to the VPN connection, if any, otherwise can also add it to OpenVPN (interface group)
                  source: any
                  destination: 172.16.9.240
                  translation: interface address

                  Or there is another method ?

                  Other than masquerading? Yes, masquerading is a workaround, which is easy to configure. You can also forward it without NAT, but you would have to obey some precepts.

                  C 1 Reply Last reply Reply Quote 0
                  • C
                    charneval @viragomann
                    last edited by

                    @viragomann
                    Hi.
                    Can you check if this configuration is correct ?
                    I can't find the target

                    http://euroservizi.hopto.org:8080

                    tt1.jpg tt2.jpg tt3.jpg tt4.jpg

                    I disable the nat rule in the wan but if enable it the problem is the same.

                    When I connect by the oepnvpn client at the server " A " I have't any problem and I can reach the 172.16.9.240:8080

                    Thanks

                    Andrea

                    V 1 Reply Last reply Reply Quote 0
                    • V
                      viragomann @charneval
                      last edited by

                      @charneval
                      The source port in the Outbound NAT rule has to be any (according to the port forwarding rule). The source port is dynamic, not static.

                      J 1 Reply Last reply Reply Quote 0
                      • J
                        Jarhead @viragomann
                        last edited by

                        If you have a VPN between the sites, there's no need to port forward anything. Just set the appropriate rules.
                        Or maybe I'm missing something?

                        V 1 Reply Last reply Reply Quote 0
                        • V
                          viragomann @Jarhead
                          last edited by

                          @jarhead
                          Seems so.
                          We are talking here about forwarding requests from public internet sources to a device at the other site.

                          1 Reply Last reply Reply Quote 0
                          • C
                            charneval
                            last edited by

                            Hello.
                            i can't figure out where the error is and i would like to trace packets to see where they are blocked.
                            I try to enter on port 8080 (https://89.189.48.194:8080) which should send me back to the web server of the nas (172.16.9.240) behind the firewall 172.16.9.254 of the remote office (this is the site to site vpn client) .
                            Is nat's rule correct in your opinion?

                            in the remote firewall (client of the vpn) I don't have to do anything right?
                            He knows where to reroute the packet that should come to him from the VPN interface.

                            Thanks.nat1.jpg

                            V 1 Reply Last reply Reply Quote 0
                            • V
                              viragomann @charneval
                              last edited by

                              @charneval
                              Also the port translation box must be empty. However, basically it should work anyway.

                              Did you enable the port forwarding to 172.16.9.240:8080?

                              On the remote site you need you need to allow the incoming packets, either on the interface you've assigned to the VPN if any or on the OpenVPN tab.

                              which should send me back to the web server of the nas (172.16.9.240)

                              Is it a web server running as VM on the NAS or the web interface of the NAS itself?
                              A NAS typically blocks access from outside of it own subnet by default.

                              He knows where to reroute the packet that should come to him from the VPN interface.

                              The outbound NAT rule translates the source address of packets destined to the remote web server into the virtual IP of the OpenVPN server (or client, doesn't matter. btw. you didn't show the interface assignment. Is it the correct network port if you have multiple VPNs). So this is the IP the web server will see. That responses come back to the remote pfSense requires the it's the default gateway of course. Since the remote pfSense has a VPN with the servers IP it should route responses back properly.

                              1 Reply Last reply Reply Quote 0
                              • C
                                charneval
                                last edited by

                                Thanks to this fantastic forum I was able to solve my problem.
                                Thanks a lot to everyone and especially to @ viragomann

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.